Impossible Differential Distinguishers of Two Generalized Feistel Structures

Generalized Feistel structures are widely used in the design of block ciphers. In this paper, we focused on retrieving impossible differentials for two kinds of generalized Feistel structures: CAST256-like structure with Substitution-Permutation (SP) or Substitution-Permutation-Substitution (SPS) round functions (named CAST256SP and CAST256SPS, respectively) andMARS-like structure with SP/SPS round function (named MARSSP and MARSSPS, respectively). Known results show that for bijective round function, CAST256-like structures and MARS-like structures have (m2 − 1) and (2m − 1) rounds impossible differentials, respectively. By our observation, there existed (m2 + m) rounds impossible differentials in CAST256SP and (3m − 3) rounds impossible differentials in MARSSPS (this result does not require the P layer to be invertible). When the diffusion layer satisfied some special conditions, CAST256SPS had (m2 + m − 1) rounds impossible differentials and MARSSPS had (3m − 3) rounds impossible differentials.


Introduction
e architecture is one of the most important parts of a block cipher. It will directly affect the implementation performance and the round number. Among them, SP structure [1], Feistel structure [2], and generalized Feistel structure [3] are the most often used architectures. e SP structure is a simple and clear block cipher model which is designed to implement Shannon's suggestions of confusion and diffusion.
is architecture was adopted by the famous block cipher AES [1]. Besides, many block ciphers, including Camellia, E2, and CLEFIA [4][5][6] adopt such kind of round functions. Except for the SP structure, the Feistel structure is another important structure, and there are a lot of block ciphers employing this architecture, such as DES, GOST, E2, and Camellia [2,4,6,7]. In [3], Nyberg first introduced generalized Feistel structures. e generalized Feistel structures are generalized forms of the classical Feistel cipher.
ese structures reserve some advantages of the classical Feistel cipher such as encryption-decryption similarity and flexibility in the design of round functions. A large number of ciphers like CAST256, MARS, CLEFIA [5,8,9], etc. use these structures as their architectures. Impossible differential cryptanalysis was first proposed by Knudsen [10] and Biham et al. [11]. is cryptanalysis uses impossible differentials to discard the wrong keys. is cryptanalysis has been used to attack Skipjack, AES, Camellia, ARIA [11][12][13][14], etc. and get many good results. e key step of impossible differential cryptanalysis is to find the longest impossible differentials [15]. For generalized Feistel structures, since only part of the data was processed in each round, there always exist long rounds impossible differentials, and this makes these ciphers vulnerable to impossible differential cryptanalysis.
Since the powerful efficiencies of impossible differential cryptanalysis, many experts work on finding impossible differential distinguisher for several block cipher structures, and lots of remarkable results are achieved. In [16], u-method was provided by Kim et al. to find impossible differentials of block ciphers structures and was later extended by Bouillaguet et al. [17]; this method uses the inconsistencies of the elements in set u to find impossible differentials. It is worthwhile for the declaration that several longest impossible differentials of some famous block cipher structures are obtained by this method. As is mentioned in [16], for m-dataline CAST256-like structure and m-dataline MARS-like structure, existed the longest round number of impossible differentials are m 2 and 2m respectively. However, u-method is too general and some important longer impossible differentials are ignored [12], and the longest differential distinguishers of several architectures like GF-NLFSR [18,19], Feistel ciphers [15], SPN [20], and MISTY [21] are obtained by other methods. In [22], a new automatic method was proposed to find more impossible differentials.
It is well known that nonzero linear combinations of several linearly independent vectors cannot be zero. Based on this matter of fact, we present some new inconsistencies to construct impossible distinguishers of CAST256-like structures and MARS-like structures with SP and SPS round function. To our knowledge, the best result is m-dataline CAST256-like cipher has m 2 rounds impossible differential distinguisher and m-dataline MARS-like cipher has 2m rounds impossible differential distinguisher. Our results show that for m-dataline CAST256 SP and CAST256 SPS , there exists (m 2 + m − 1) rounds impossible differential distinguishers and for MARS SP and MARS SPS , there exists (3m − 3) rounds impossible differential distinguishers. is paper is organized as follows: Section 2 introduces some preliminaries. Section 3 focuses on finding impossible differential distinguisher of m-dataline CAST256-like structures with SP/SPS round function. Section 4 works on finding impossible differential distinguisher of m-dataline MARS-like structures with SP/SPS round function. Section 5 concludes this paper.

Guidelines for Manuscript Preparation
roughout this paper, we will use the symbols, described in Table 1.
It is well known that if f is a linear bijection, then Δ f (Δx) � f(Δx), else Δ f (Δx) may have several possible values; in this case, we can choose any one for further discussion, and we will use Δ (i) f (Δx) to distinguish them. Next, we will first describe these two structures, and then lay out some basic definitions and notations.

CAST256-like
Structure. An m-dataline CAST256-like network consists of r rounds, each round is defined as follows.
Let (X i−1 1 , X i−1 2 , . . . , X i−1 m ) be the input of the i-th round, (X i 1 , X i 2 , . . . , X i m ) and k i be the output and the round key of the -th round, resp(i � 1, 2, . . .).
where F is the round function ( Figure 1 describes one round of 4-dataline CAST256-like network).

Mars-like
Structure. An m-daaline MARS-like network consists of r rounds; each round is defined as follows. Let . , X i m ) and k i be the output and the round key of the -th round, resp(i � 1, 2, . . .).
where F is the round function ( Figure 2 describes one round of 4-dataline CAST256-like network).

Notations.
According to the definition of round function f, these two cipher structures can be classified into many substructures. Major round functions under study are based on SP structure and SPS structure, which are two basic structures of modern ciphers.
Definition 1 (See [1]) (SP network). Let S 1 , . . . , S n : 0, 1 be a linear transformation (there is no limit that P is a bijection), k � (k 1 , . . . , k n ) ∈ 0, 1 { } nd is the round key, then the round function Round sp of SP network (SPN) is defined by We use CAST256 SP (resp. CAST256 SPS ) to denote CAST256-like structure with SP(resp. SPS) type round function and MARS SP (resp. MARS SPS ) for MARS-like structure with SP(resp. SPS) type round function.
where θ: Let (2 d ). en the differential branch number of f is defined by

Two Important Differential Characteristics of CAST256like Structure
Lemma 1 (See [23]). For the m-dataline CAST256-like structure, any nontrivial differential characteristic of the round function must be with the following form: And Δy denotes the output difference of the round function. From Lemma 1, we have. Proposition 1. Let (ΔX) be one round differential characteristic of m-dataline CAST256-like structure, then the following equations hold with probability 1.
Proposition 1 can be verified directly from Lemma 1. In the following, we concentrate on two special differences which will help us to find the impossible differentials.
We can conclude the following Lemma.

Lemma 2.
For the m-dataline CAST256-like structure, there exists a rounds differential characteristic Composition of function f and g, i.e., g(f(x)) Figure 1: One round of 4-dataline CAST256-like structure. Security and Communication Networks from encryption direction and an m(m − 1) rounds differential characteristic from the decryption direction, both with probability 1.
Proof. If the input difference is chosen as Applying Proposition 1 repeatedly, the following equations must hold en we arrive to which implies the differential exists.
From the decryption direction, if the output difference is set as (O, . . . , O, α), then by Observation 2, after m rounds decryption, the input difference (from the encryption direction) is (O, . . . , O, Δ F (α), α), and applying Observation (2m − 2) times, we may clarify this Lemma (in Tables 2 and  3, we listed the whole procedure).

Impossible Differentials for CAST256-like Structure with SP/SPS Round Function
Theorem 1. Assume A is the permutation layer of CAST256 SP , where A is a n × n matrix over GF (2 d . . , A j y are linearly independent, then for any n-dimension vector e Ω 1 , e Ω 2 , is an m 2 + m − 1 rounds impossible differential of CAST256 SP .
Proof. According to Lemma 2, we have ΔX 2m−1 By the definition of e Ω 1 , we get Similarly, Since A i 1 , . . . , A i x , A j 1 , . . . , A j y are linearly independent and Δ S (e i u ) ≠ 0, we have is an (m 2 + m − 1) rounds impossible differential of CAST256 SP .
For most designs of permutation layer, we can easily find these i 1 , . . . , i x , j 1 , . . . , j y , which satisfy the condition of eorem 1.
By considering the 2m rounds differential proposed in Lemma 2, we can find an m 2 + m round impossible differential. And the result is concluded as follows.
is possible.
For A l,i ≠ 0, we have χ l (A (i) ) ≠ 0, since S layer are parallel bijections and φ i (e i ) ≠ 0, we may obtain φ i (Δ S (e i )) ≠ 0, so χ(φ i (Δ S (e i )) × A (i) ) � χ(A (i) ). And for χ l (A (i) ≠ 0), we have so we conclude S (e j )) × A (j) ) � 0; thus, the two equations below hold: is an (m 2 + m − 1) rounds impossible differential of CAST256 SPS . Now we consider a special case, when permutation layer is designed as a binary matrix. Proof. Since rank(A) ≥ 2, we know there exist some

Corollary 2. Assume
us, by eorem 3, we can conclude the result. Corollary 2 indicates that for binary permutation layer, if its rank exceeds 2, then we can find such impossible differentials. Obviously, this condition is compatible for almost every design. Table 2: (2m−1) rounds differential characteristics of the m-dataline CAST256-like structure from the encryption direction. Table 3: m(m − 1) rounds differential characteristics of the m-dataline CAST256-like structure from the decryption direction.

Two Important Differential Characteristics of MARS-like
Structure. e following lemma is trivial.

Lemma 3.
For the m-dataline MARS-like cipher, any nontrivial differential characteristic of the round function must be with the form , and Δy denotes the output difference of the round function.
From Lemma 3, we can verify the properties as below.
be the same as in the previous propositions; following this, if Based on these two Observations, we can conclude the Lemma below.  Tables 4 and 5, we listed the whole procedure).

Retrieving Impossible Differential for MARS-Like
Structure with SP/SPS Round Function. Before we start this section, we will introduce the definition of collect set. Proof. By Lemma 4 we have from the decryption direction. We assume A × Δ S (Δx) � Δx, then is indicates Col(χ(Δ S (Δx)) | χ(Δx), A | E) are linearly dependent, which is contradictory with Ch(Col((χ(Δx) | χ(Δx)), (A | E))) � 1. So A × Δ S (Δx) ≠ Δx, i.e., ΔX i 1 ≠ ΔX i 2 . However, by Lemma 4, we have from the encryption direction, and this leads to a contradiction. Proof. By Lemma 4 we have, from the decryption direction. Since According to eorem 5, the case that the binary matrix employment is characterized as follows.
us, χ(e j 1 ,j 2 { } ) ∉ Pat(Col(χ (e j 1 ,j 2 { } ), A)). Compared with other designs, binary diffusion layer has an obvious advantage in implementation and thus is a very common design, and for this case, the conditions of Corollary 4 are satiable for most of the time.

Conclusion
Generalized Feistel structures are of great importance in modern block cipher design. Evaluating the strength of these structures can help us in constructing a security cipher. Among all the cryptanalysis technologies, impossible differential cryptanalysis is one of the most powerful attacks.
is paper provides an improvement in finding the longest impossible differentials for two generalized Feistel structures named the CAST256-like structure and the MARS-like structure.
is paper bridges some links between impossible differentials and linear transformations. We provide some sufficient conditions on the linear transformations. By our results, people may find the possible longer impossible differentials by verifying some properties of the linear transformations. us, the properties we list in this paper should be considered carefully when using these two structures.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.